Malware Analysis Primer#

Goals of Malware Analysis#

• To determine what exactly has happened to ensure that you’ve located all infected machines and files and then develop signatures (host and network)
• Types of signatures
  • Host based are used to detect malicious code on victim computers by identifying created or modified files by malware
  • Network based are used to detect malicious code by monitoring network traffic
• Finally we figure out how the malware works

Malware Analysis Techniques#

• Types of techniques
  • Static Analysis
    • Examining the executable
    • Reverse engineering the malware’s internals by disassembling it and looking at it’s instructions
  • Dynamic Analysis
    • Running the malware and examining its behavior in order to remove it’s infection and create signatures
    • Quite often we use debugger to understand how malware is being
• Types of Malware
  • Backdoor —> Malicious code that is installed and allows attacker to gain access to local system with little or no authentication
  • Botnet —> Similar to backdoor but it allows attacker to send command from a central command-and-control (C2) server
  • Downloader —> Malicious code which downloads additional malicious code
  • Information stealing malware —> Malware which steals sensitive data from victim’s computer and sends it to attacker
  • Launcher —> Used to launch other malicious programs
  • Rootkit —> Code designed to hide other malicious programs
  • Scareware —> Designed to frighten the user into buying “software”
  • Span-Sending Malware —> Sends spam allowing attackers to generate income by that process
  • Worm or Virus —> Code that can copy itself and infect additional computers
• Tips and Tricks
  • Focus on key features rather than dissecting every details as malware is a complex piece of software
  • Try analyzing malware with different approaches and angles using different tools, don’t get stuck on one
  • Recognize, understand and defeat the new and approaching techniques written by malware authors on the fly